Supply chains under the GDPR—arrangements between controllers and processors
Supply chains under the GDPR—arrangements between controllers and processors

The following Financial Services guidance note provides comprehensive and up to date legal information covering:

  • Supply chains under the GDPR—arrangements between controllers and processors
  • Key guidance
  • The GDPR and arrangements between controllers and processors
  • General obligations on controllers using processors under the GDPR
  • Specific obligations on controllers using processors under Article 28 of the GDPR
  • Related provisions the controller should consider including
  • Obligations on processors under the GDPR
  • Sub-processing
  • Standard processing clauses, approved codes of conduct and certification schemes
  • Sanctions and enforcement
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

This Practice Note addresses the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) as it applies in the UK where a processor will process personal data on behalf of a controller and covers:

  1. the data protection regime under the GDPR as applicable to arrangements between controllers and processors

  2. the general obligations on controllers using processors under the GDPR

  3. the specific obligations on controllers using processors under Article 28 of the GDPR

  4. obligations on processors under the GDPR

  5. related provisions the controller should consider including

  6. sub-processing

  7. standard processing clauses, approved codes of conduct and certification schemes

  8. sanctions and enforcement

  9. steps controllers should take to